Page MenuHomePhorge

systemd introduces memory protection
Open, NormalPublic

Description

A great new security feature comes to systemd. Will be good to have for Whonix daemons:

Systemd 231 will allow the MemoryLimit and TasksMax and related unit settings to be specified as a percentage, support for the "memory" cgroup controller on cgroupsv2, a new MemoryDenyWriteExecute (optional) setting to prevent a service from creating memory mappings that are writable and executable at the same time (great for security!), systemd-resolved improvements, various other network-related systemd additions, support for VERSION_CODENAME in the os-release file, and many other changes.

http://www.phoronix.com/?page=news_item&px=systemd-231-Features

Patrick said:
Setting MemoryLimit, TasksMax and maybe other related settings might be useful for some services such as sdwdate. More of a reliability improvement in case the service has a resource exhaustion bug. It cannot prevent local DOS because kernel / systemd does not provide IO limiting as found out during constrained system resources program starter wrapper development.

Details

Impact
Normal